Malware uses Google Docs to communicate with control hub
Executive Summary:
One of the many services Google provides is Google Docs, which allows users to share their documents with others and can allow the shared documents to be edited. One of the features of Google Docs is the “viewer” whose purpose is to allow users to look at a document on another individual’s computer. Recently Symantec researchers discovered a new malware iteration that exploited Google Docs view function. The malware called backdoor Trojan Makadocs operates through sending phishing emails to individuals and trying to entice individuals to click on the Word or RTF document. The document contains lines of malicious code which triggers the downloading of the malware onto the individual’s machine, where the virus can steal the individual’s information. What makes this malware interesting is that it attempts to hide the outgoing communication (the information the hackers are trying to steal) as encrypted traffic. This causes security products to not always catch the virus since the encrypted traffic appears to be going back to Google a trusted service. The “viewer” feature would then be able to send seemingly innocent communications back to the hacker’s command and control server, without the victim’s knowledge. Thankfully there have only been 100 Makadocs infections, all in Brazil and it is believed that the hackers were only testing the malware.
Analysis:
Overall, Google is susceptible to a loss of users through not providing adequate security for their product. Some of the functions of Google Docs maintain vulnerabilities, especially the viewer function, where hackers can download malware onto user’s computers. The easiest step for Google to take would be to block the malware’s connection to the Google Docs server through the use of a firewall. Furthermore, Google should be watching the incoming and outgoing transmissions it receives for suspicious activity. Google’s monitoring should be able to identify when its server is used as an intermediary step in the process of sending user’s information to hackers. Google’s programmers could also rewrite the viewer feature to disallow this exploit. The hackers are using social engineering to entice people to open the email and the Google Doc, so the easiest way to prevent the attack would be for the recipient to delete the email. A good rule to follow would be to never open documents from sources you don’t know or trust.
Executive Summary:
One of the many services Google provides is Google Docs, which allows users to share their documents with others and can allow the shared documents to be edited. One of the features of Google Docs is the “viewer” whose purpose is to allow users to look at a document on another individual’s computer. Recently Symantec researchers discovered a new malware iteration that exploited Google Docs view function. The malware called backdoor Trojan Makadocs operates through sending phishing emails to individuals and trying to entice individuals to click on the Word or RTF document. The document contains lines of malicious code which triggers the downloading of the malware onto the individual’s machine, where the virus can steal the individual’s information. What makes this malware interesting is that it attempts to hide the outgoing communication (the information the hackers are trying to steal) as encrypted traffic. This causes security products to not always catch the virus since the encrypted traffic appears to be going back to Google a trusted service. The “viewer” feature would then be able to send seemingly innocent communications back to the hacker’s command and control server, without the victim’s knowledge. Thankfully there have only been 100 Makadocs infections, all in Brazil and it is believed that the hackers were only testing the malware.
Analysis:
Overall, Google is susceptible to a loss of users through not providing adequate security for their product. Some of the functions of Google Docs maintain vulnerabilities, especially the viewer function, where hackers can download malware onto user’s computers. The easiest step for Google to take would be to block the malware’s connection to the Google Docs server through the use of a firewall. Furthermore, Google should be watching the incoming and outgoing transmissions it receives for suspicious activity. Google’s monitoring should be able to identify when its server is used as an intermediary step in the process of sending user’s information to hackers. Google’s programmers could also rewrite the viewer feature to disallow this exploit. The hackers are using social engineering to entice people to open the email and the Google Doc, so the easiest way to prevent the attack would be for the recipient to delete the email. A good rule to follow would be to never open documents from sources you don’t know or trust.